A few weeks ago I ran across an article (via some social site) on Huffington Post. I read articles there from time to time, and I thought, why not follow them on Twitter? I found the Twitter icon, clicked on it and got presented with a small dialog giving me a few options.
Well I don’t want to login to their site using Twitter, I click on the big Follow button. What happened next surprised me: I ended up on the Twitter OAuth page…that has a tantalizing big blue “Allow” button.
For those who may not know what OAuth is, put simply, it is a way to authorize one web site to access your data from another website without giving away your password. Generally the first web site will ask for certain kinds of access, such as posting to your wall (Facebook), reading your contacts, or accessing your profile information (e.g. email address, age, etc).
Despite Twitter saying they “take your privacy very seriously”, when you give Twitter OAuth access to a site, the web site gets access to everything in your Twitter account, including reading your direct messages (kind of like private messages between two Twitter users), the people you follow, and the people who follow you. Basically, a site using OAuth with Twitter can do everything you can do on Twitter, they are, in fact, YOU.
Well, I was a bit shocked that I was being asked for access to my Twitter account just so I could follow their tweets, it’s unnecessary. My next thought was, why do they want this access? Their login page really doesn’t explain or provide me a way to find out.
I looked at their privacy statement, no mention of Twitter, I looked at the user agreement, way too long and legalese to digest. I finally thought of looking in the FAQ, and while it doesn’t explicitly state what they will do with my Twitter account, I kind of figured it out (they’ll use my contacts to show them what I see on the site, and likewise to let me see what my contacts view).
Well, that’s kind of ok, if that was what I was trying to do, all I wanted was to follow their tweets. I wonder how many of their 785K followers gave them full access to their accounts.
Then I wondered about what they would get from other accounts. With Google they get my Gmail address and my contacts. With Yahoo!, they get access to my status, my updates, contacts and profile. I don’t even bother looking at what that get from Facebook, it would be too much.
All I wanted to do was follow their tweets.
Why is this a problem? Well, I do a bit of work with OAuth and OpenID and understand what can be obtained from using these. I think they are great technologies when used correctly. That’s the problem. When used incorrectly, typical non-technical users are not going to understand the implications. My hunch is that the typical user will give that access away without necessarily understanding what is happening.
Is the problem OAuth?
While there are problems that should be fixed in OAuth, the scenario above is not fixable by the OAuth protocol. The scenario above is an example of two organizations doing the wrong thing with the OAuth protocol. Twitter simply does not provide enough controls, tossing out the baby with the bathwater. Huffington Post appears to be attempting to gain subscribers by relying on the lack of understanding that the general population has around the technologies involved. Yes, given some knowledge and digging I feel like I know what will happen with my data; No, I don’t feel like either organization is Evil, just Wrong.
I decided not to follow Huffington Post and feel somewhat deflated.
sidenote: yes, a website may limit their access to only reading your twitter data, but that still gives access to all your data.